by Andreas Dormann

Flash Player 13.0.0.214: Security Advise

The Problem

In one of our recent projects we just discovered by chance an upcoming problem for our users: they will not be able to print PDF documents with our Flex-based application when updating to Flash Player version 13.0.0.214 or higher! Our application uses the open-source AS3 PDF library AlivePDF for generating invoice documents that can first be previewed in the browser an then be printed. Our client-side-generated PDF communicates via navigateToURL() with the server. But: With 13.0.0.214, it is no longer allowed to send HTTP headers with your request (via navigateToURL). This is breaking hundreds of sites!

The explanantion of Jeromie Clark from the Adobe team:

Unfortunately, this was an intentional and necessary change required to address a security issue reported by an external researcher. We sincerely apologize for the inconvenience.
After careful consideration, we found that the only way to truly resolve the issue was to disable support for custom headers in NavigateToURL.
While we would prefer to provide advanced notification for security changes that affect existing content, experience has taught us that it is not a viable approach, and ultimately puts customers at more risk. We go to great lengths to preserve backward-compatibility in general, but it’s our responsibility to balance those considerations with the overall security of end-users and the web at large.
Custom headers continue to be supported via the URLRequest class, and we encourage developers to use those APIs where custom headers are required.

The Solution

That are the recent facts. So let’s find a solution! Adobe proposes a few workarounds (see https://forums.adobe.com/message/6396080). But they all don’t fulfill our needs. So I’ve tried a few things and found the following way(s). The principle: forego the use of header instructions with navigateToURL!

1. Use the right „save“ method in AlivePDF

Use Method.LOCAL instead of Method.REMOTE. So you can read the PDF as ByteArray.
Example:

Ähnliche Beiträge

Howdy! I could have sworn I’ve visited this blog before but after going through a few
of the posts I realized it’s new to me. Anyways, I’m definitely happy I came
across it and I’ll be book-marking it and checking back regularly!